CVE-2026-34985
Insecure Direct Object Reference in LORIS Media Module
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mcgill | loris | 28.0.0 |
| mcgill | loris | From 16.1.0 (inc) to 27.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34985 is an authorization bypass vulnerability in the media module of the LORIS web application versions 16.1.0 through 28.0.0.
The issue occurs because although the frontend filters files to restrict user access, the backend does not enforce these access checks.
As a result, an attacker who knows the filename of a file can access files they should not be authorized to view.
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key.
It has been fixed in LORIS versions 27.0.3 and 28.0.1.
How can this vulnerability impact me? :
This vulnerability allows unauthorized users to access files they should not have permission to view if they know the filenames.
Such unauthorized access can lead to exposure of sensitive or confidential neuroimaging research data managed by LORIS.
The CVSS score of 6.3 indicates a moderate severity, meaning the impact on confidentiality, integrity, and availability is low but still significant.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to files by bypassing backend access controls when the filename is known. Detection would involve monitoring for unusual or unauthorized file access attempts, especially requests to the media module endpoints with filenames that users should not have access to.
Specific commands or tools are not provided in the available resources. However, general approaches could include reviewing web server logs for suspicious access patterns, using network monitoring tools to detect unauthorized file retrieval attempts, or employing web application security scanners to test for authorization bypass vulnerabilities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to files by bypassing backend access controls in the LORIS media module. Such unauthorized data access could potentially lead to exposure of sensitive or personal data.
Because regulations like GDPR and HIPAA require strict controls over access to personal and sensitive data, this authorization bypass vulnerability could result in non-compliance with these standards if exploited.
Organizations using affected versions of LORIS should update to fixed versions (27.0.3 or 28.0.1) to mitigate the risk and maintain compliance with data protection regulations.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade LORIS to a fixed version where the vulnerability is resolved. Specifically, upgrading to version 27.0.3 or 28.0.1 will address the authorization bypass issue in the media module.
Until the upgrade can be applied, consider restricting access to the media module backend endpoints to trusted users only, implementing additional access controls at the network or application level, and monitoring for suspicious file access attempts.